From: Tom Hughes <tom@compton.nu>
Date: Thu, 8 Nov 2018 17:51:23 +0000 (+0000)
Subject: Merge remote-tracking branch 'upstream/pull/2051'
X-Git-Tag: live~3867
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/6ca22de4f2c68e4b14a6e2f0938a8657c33adc31?hp=70d6880e10881dfd4b68f51cf16609a9f8aaff24

Merge remote-tracking branch 'upstream/pull/2051'
---

diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb
index f55f19e4e..d7a100057 100644
--- a/app/abilities/ability.rb
+++ b/app/abilities/ability.rb
@@ -8,6 +8,8 @@ class Ability
     can [:index, :rss, :show, :comments], DiaryEntry
     can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim,
          :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder
+    can [:index, :show], Redaction
+    can [:index, :show, :blocks_on, :blocks_by], UserBlock
 
     if user
       can :welcome, :site
@@ -18,6 +20,8 @@ class Ability
       if user.moderator?
         can [:index, :show, :resolve, :ignore, :reopen], Issue
         can :create, IssueComment
+        can [:new, :create, :edit, :update, :destroy], Redaction
+        can [:new, :edit, :create, :update, :revoke], UserBlock
       end
 
       if user.administrator?
diff --git a/app/controllers/redactions_controller.rb b/app/controllers/redactions_controller.rb
index b8ecce9e2..45a41058c 100644
--- a/app/controllers/redactions_controller.rb
+++ b/app/controllers/redactions_controller.rb
@@ -3,8 +3,9 @@ class RedactionsController < ApplicationController
 
   before_action :authorize_web
   before_action :set_locale
-  before_action :require_user, :only => [:new, :create, :edit, :update, :destroy]
-  before_action :require_moderator, :only => [:new, :create, :edit, :update, :destroy]
+
+  authorize_resource
+
   before_action :lookup_redaction, :only => [:show, :edit, :update, :destroy]
   before_action :check_database_readable
   before_action :check_database_writable, :only => [:create, :update, :destroy]
diff --git a/app/controllers/user_blocks_controller.rb b/app/controllers/user_blocks_controller.rb
index 2b7bf3f58..70dfddf83 100644
--- a/app/controllers/user_blocks_controller.rb
+++ b/app/controllers/user_blocks_controller.rb
@@ -3,8 +3,9 @@ class UserBlocksController < ApplicationController
 
   before_action :authorize_web
   before_action :set_locale
-  before_action :require_user, :only => [:new, :create, :edit, :update, :revoke]
-  before_action :require_moderator, :only => [:new, :create, :edit, :update, :revoke]
+
+  authorize_resource
+
   before_action :lookup_user, :only => [:new, :create, :blocks_on, :blocks_by]
   before_action :lookup_user_block, :only => [:show, :edit, :update, :revoke]
   before_action :require_valid_params, :only => [:create, :update]
diff --git a/test/controllers/redactions_controller_test.rb b/test/controllers/redactions_controller_test.rb
index 0bf57c310..fa56814b2 100644
--- a/test/controllers/redactions_controller_test.rb
+++ b/test/controllers/redactions_controller_test.rb
@@ -63,8 +63,7 @@ class RedactionsControllerTest < ActionController::TestCase
     session[:user] = create(:user).id
 
     get :new
-    assert_response :redirect
-    assert_redirected_to redactions_path
+    assert_response :forbidden
   end
 
   def test_create_moderator
@@ -140,8 +139,7 @@ class RedactionsControllerTest < ActionController::TestCase
     session[:user] = create(:user).id
 
     get :edit, :params => { :id => create(:redaction).id }
-    assert_response :redirect
-    assert_redirected_to(redactions_path)
+    assert_response :forbidden
   end
 
   def test_update_moderator
diff --git a/test/controllers/user_blocks_controller_test.rb b/test/controllers/user_blocks_controller_test.rb
index 77b17519e..4371e3f82 100644
--- a/test/controllers/user_blocks_controller_test.rb
+++ b/test/controllers/user_blocks_controller_test.rb
@@ -145,8 +145,7 @@ class UserBlocksControllerTest < ActionController::TestCase
 
     # Check that normal users can't load the block creation page
     get :new, :params => { :display_name => target_user.display_name }
-    assert_redirected_to user_blocks_path
-    assert_equal "You need to be a moderator to perform that action.", flash[:error]
+    assert_response :forbidden
 
     # Login as a moderator
     session[:user] = create(:moderator_user).id
@@ -189,8 +188,7 @@ class UserBlocksControllerTest < ActionController::TestCase
 
     # Check that normal users can't load the block edit page
     get :edit, :params => { :id => active_block.id }
-    assert_redirected_to user_blocks_path
-    assert_equal "You need to be a moderator to perform that action.", flash[:error]
+    assert_response :forbidden
 
     # Login as a moderator
     session[:user] = create(:moderator_user).id
@@ -361,8 +359,7 @@ class UserBlocksControllerTest < ActionController::TestCase
 
     # Check that normal users can't load the block revoke page
     get :revoke, :params => { :id => active_block.id }
-    assert_redirected_to user_blocks_path
-    assert_equal "You need to be a moderator to perform that action.", flash[:error]
+    assert_response :forbidden
 
     # Login as a moderator
     session[:user] = create(:moderator_user).id